Didier Stevens

Wednesday 17 August 2022

Update: 1768.py Version 0.0.15

Filed under: My Software,Update — Didier Stevens @ 22:30

Some new features that help with analyzing memory dumps.

Here is the analysis of a VMware vmem file:

There’s a new sanity check, determining if an extracted configuration is OK or not OK (NOK).

A config passes the sanity check if it contains a valid payload type and a valid public key.

Configurations that don’t pass the sanity check, are most likely false positives: they have a valid header, but no valid fields. They can show up in memory dumps of Windows machines.

Option -S can be used to hide configurations that don’t pass the sanity check:

Now we are just left with detections of the sleep mask routine. What’s new in this version, is that the position where the signature was found is listed.

Finding both 32-bit and 64-bit routines is unusual.

Option -V can be used to dump 256 bytes before and after the signature, to help us get an idea what we are dealing with.

And what we actually found here, is the memory of the anti-virus program containing signatures, like signatures for Cobalt Strike sleep mask deobfuscation routines.

1768_v0_0_15.zip (http)
MD5: 15EBA21D59D78ED9A674DC2B88687555
SHA256: 73987F1B8577A5C31B2D7BDC197A465F8700B3F3C7838A31802BD77FFC872C42

Sunday 24 July 2022

Update: re-search.py Version 0.0.21

Filed under: My Software,Update — Didier Stevens @ 7:24

This new version of re-search.py adds a regex for UNCs to the library and has a Python 3 fix.

re-search_V0_0_21.zip (http)
MD5: 294DD5D4027F0AFD0A2DE6432FE4552D
SHA256: B818CE4F7E217B381128550A3A36B40B6D07CC687CE4CF5AFF3C70EC0D3EEAD2

Saturday 23 July 2022

Update: oledump.py Version 0.0.69

Filed under: My Software,Update — Didier Stevens @ 7:59

This update brings an update to plugin plugin_vba_dco.py.

This is a plugin that scans VBA source code for keywords (Declare, CreateObject, GetObject, CallByName and Shell), extracts all lines with these keywords, followed by all lines with identifiers associated with these keywords.

For example, if the result of a CreateObject call is stored in variable oXML, then all lines with this oXML identifier are selected.

I updated this plugin with two options -g (–generalize) and -a (–all).

Option -g generalize will replace all identifiers (like variable & functions names) with a general name: Identifier#### where #### is a numeric counter.

I added this option to analyze a sample where almost all identifiers where completely unreadable, as they consisted solely out of characters that are between byte values 128 and 255 (e.g., non-ASCII).

Here is the output for that sample, without using any plugin option:

You can see the CreateObject functions, but appart from the WshShell identifier, the other identifiers don’t have letters and are hard to trace in the code.

This changes when you use option -g:

All identifiers have been generalized to names like Identifier0001, Identifier0002, …

To view all generalized code (and not only the lines with keywords), use option -a:

Remark that this plugin is not a VBA parser: it uses some simple scans and regexes to find identifiers. For example, it handles line comments like any other lines.

oledump_V0_0_69.zip (http)
MD5: 9FDE05EB0B475C5BB76A92A926DBE8CD
SHA256: 16761C633DEC83CB691AE7223BB5AE82E5EC668F5D161499800638BC45420285

Tuesday 19 July 2022

Update: base64dump.py Version 0.0.23

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds JSON input support, allowing,for example, to detect encoded payloads inside the registry:

More info in an upcoming blog post.

base64dump_V0_0_23.zip (http)
MD5: 00D1E2344A6D09D3A2F18FC257F77090
SHA256: E4CA046198E801DFF309D6A8B346D5084FB4B4DFBFD339C5BCB3EF570CD08A79

Saturday 9 July 2022

simple_listener.py

Filed under: Announcement,My Software — Didier Stevens @ 21:05

This is the release of simple_listener.py, a Python program that can accept TCP and UDP connections and react according to its configuration. It has evolved from my beta program tcp-honeypot.py, that I will no longer maintain.

Everything you could do with tcp-honeypot, can be done with simple_listener.

I use simple_listener now whenever I need a server that listens for incoming TCP and/or UDP connections. For example, I have a configuration that can accept connections from Cobalt Strike beacons using leaked private keys.

simple_listener has a full man page, explaining all configuration items and options.

simple_listener_v0_1_2.zip (http)
MD5: 8F79FCB51EE2C1EB20B0F30F022EAE47
SHA256: F0EED539775AF36FFEB9B91529AF852C833D6A2764A9B9C65998AEA577F08175

Wednesday 29 June 2022

Update: format-bytes.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of format-bytes.py adds a feature to search for a range of integers:

#iv5#6080 means: look for an integer (i) equal to 6080 with a variation of 5 (v5), e.g., look for integers between 6075 and 6085.

format-bytes_V0_0_14.zip (http)
MD5: 600969FAC1F397036673574EA0BE0EE1
SHA256: D0EB0709985A4A5FEC1DA4B420CA440FF5268229CFFA1B3CC1EE5FAE92101957

Tuesday 28 June 2022

Update: cut-bytes.py Version 0.0.15

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version contains a Python 3 fix.

cut-bytes_V0_0_15.zip (http)
MD5: 1906873950C1DC55665072C7F3529D7F
SHA256: 2B9847E49C08021C61B8FA09C9DD400FC41E817F65E1C2BAC64ABBD87D49E238

Saturday 18 June 2022

New Tool: sortcanon.py

Filed under: Announcement,My Software — Didier Stevens @ 23:02

sortcanon.py is a tool to sort text files according to some canonicalization function. For example, sorting domains or ipv4 addresses.

This is actually an old tool, that I still had to publish. I just updated it to Python 3.

This is the man page:

Usage: sortcanon.py [options] [files]
Sort with canonicalization function

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Valid Canonicalization function names:
 domain: lambda x: '.'.join(x.split('.')[::-1])
 ipv4: lambda x: [int(n) for n in x.split('.')]
 length: lambda x: len(x)

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -c CANONICALIZE, --canonicalize=CANONICALIZE
                        Canonicalization function
  -r, --reverse         Reverse sort
  -u, --unique          Make unique list
  -o OUTPUT, --output=OUTPUT
                        Output file

Manual:

sortcanon is a tool to sort the content of text files according to some
canonicalization function.
The tool takes input from stdin or one or more text files provided as argument.
All lines from the different input files are put together and sorted.

If no option is used to select a particular type of sorting, then normal
alphabetical sorting is applied.

Use option -o to write the output to the given file, in stead of stdout.

Use option -r to reverse the sort order.

Use option -u to produce a list of unique lines: remove all doubles before
sorting.

Option -c can be used to select a particular type of sorting.
For the moment, 2 options are provided:

domain: interpret the content of the text files as domain names, and sort them
first by TLD, then domain, then subdomain, and so on ...

length: sort the lines by line length. The longest lines will be printed out
last.

ipv4: sort IPv4 addresses.

You can also provide your own Python lambda function to canonicalize each line
for sorting.
Remark that this involves the use of the Python eval function: do only use this
with trusted input.


sortcanon_V0_0_1.zip (http)
MD5: CC20EA756E3E0796C617830C8F91AFF4
SHA256: 42EDE51EE70A39FD0933A77B8FE119F1CA8C174336C0DA4C079B1F02C1AB33EC

Friday 17 June 2022

Update: base64dump.py Version 0.0.22

Filed under: My Software,Update — Didier Stevens @ 15:21

This new version of base64dump.py adds some extra info for the encoded strings.

In -e all mode, a new column Chars tells you how many unique characters are used for that encoded string:

For example, the last line is recognized as a syntactically valid variant of BASE85 (b85), but it uses only 63 unique characters (85 unique characters is the maximum). So this is probably not b85, or else the encoded data has low entropy.

And there is also new info when you select a string for info:

base64dump_V0_0_22.zip (http)
MD5: B38E4F454FAE219D771742B44D60A428
SHA256: 32695EEDDADAE9B1AFA1CAA70A69E2A0434E2264CEF836DE172BC5254C8E6281

Wednesday 15 June 2022

New Tool: dns-query-async.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

dns-query-async.py is a tool to perform DNS queries in parallel.

This is the man page:

Usage: dns-query-async.py [options] command file
Program to perform asynchronous DNS queries

accepted commands: gethost,getaddr

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file (# supported)
  -s NAMESERVERS, --nameservers=NAMESERVERS
                        List of nameservers (,-separated)
  -n NUMBER, --number=NUMBER
                        Number of simultaneous requests (default 10000)
  -t TRANSFORM, --transform=TRANSFORM
                        Transform input (%%)

Manual:

This tool performs asynchronous DNS queries. By default, it will perform 10000
queries simultaneously.

The first argument is a command. There are 2 commands for the moment: gethost
and getaddr
The second argument is a filename: a text file containing the items to resolve.

Use command getaddr to lookup the IP address of the hostnames provided in the
input file.
Example:
 dns-query-async.py getaddr names.txt
Result:
 didierstevens.com,1,96.126.103.196
 didierstevenslabs.com,1,96.126.103.196
 Duration: 0.20s

Use command gethost to lookup the hostnames of the IP addresses provided in the
input file.
Example:
 dns-query-async.py gethost ips.txt

Use option -s to provide the name servers to use (comma separated list).

Use option -n to change the number of asyncio workers (10000 default).

Use option -t to transform the input list and perform lookups.
For example, take list of subdomains/hostnames https://github.com/m0nad/DNS-
Discovery/blob/master/wordlist.wl
Issue the following command:
 dns-query-async.py -t %%.example.com getaddr wordlist.wl
Result:
 0.example.com,0,Domain name not found
 009b.example.com,0,Domain name not found
 01.example.com,0,Domain name not found
 02.example.com,0,Domain name not found
 03.example.com,0,Domain name not found
 1.example.com,0,Domain name not found
 10.example.com,0,Domain name not found
 101a.example.com,0,Domain name not found

The %% in %%.example.com is replaced by each hostname/subdomain in wordlist.wl
and then resolved.

Use option -o to write the output to a file.


dns-query-async_V0_0_1.zip (http)
MD5: 5F4253B06EC0C6F6EC8E1DFDB1886164
SHA256: D06D776F7B0042EFD5BFAB5CE32EAFDF6FFB85F1C85BB227156638060B639D33
Next Page »

Blog at WordPress.com.